1. Research in Cloud Security and Privacy
Modified from Bharat Bhargava, Anya Kim, YounSun Cho

2. Outline Part I: Introduction
Part II: Security and Privacy Issues in Cloud Computing
Part III: Possible Solutions

3. Part I. Introduction Cloud Computing Background Cloud Models
Why do you still hesitate to use cloud computing?
Causes of Problems Associated with Cloud Computing
Taxonomy of Fear
Threat Model

4. Cloud Computing Background
Features
Use of internet-based services to support business process
Rent IT-services on a utility-like basis
Attributes
Rapid deployment
Low startup costs/ capital investments
Costs based on usage or subscription
Multi-tenant sharing of services/ resources
Essential characteristics
On demand self-service
Ubiquitous network access
Location independent resource pooling
Rapid elasticity
Measured service
“Cloud computing is a compilation of existing techniques and technologies, packaged within a new infrastructure paradigm that offers improved scalability, elasticity, business agility, faster startup time, reduced management costs, and just-in-time availability of resources”
Government and Military sectors: complicated procurement rules and stringent security requirements
Cloud-based categories:
Cloud-based applications (SAAS)
Cloud-based development (e.g. Google App Engine)
Cloud-based infrastructure (e.g. Amazon’s EC2)
From [1] NIST 4

5. A Massive Concentration of Resources
Also a massive concentration of risk
expected loss from a single breach can be significantly larger
concentration of “users” represents a concentration of threats
“Ultimately, you can outsource responsibility but you can’t outsource accountability.”
From [2] John McDermott, ACSAC 09

6. Cloud Computing: who should use it?
Cloud computing definitely makes sense if your own security is weak, missing features, or below average.
Ultimately, if
the cloud provider’s security people are “better” than yours (and leveraged at least as efficiently),
the web-services interfaces don’t introduce too many new vulnerabilities, and
the cloud provider aims at least as high as you do, at security goals,
then cloud computing has better security.
From [2] John McDermott, ACSAC 09

7. Cloud Models Delivery Models Deployment Models
SaaS
PaaS
IaaS
Deployment Models
Private cloud
Community cloud
Public cloud
Hybrid cloud
Management Models (trust and tenancy issues)
Self-managed
3rd party managed (e.g. public clouds and VPC)
Trust and tenancy issues as well as loss of control related to the management model
From [1] NIST

8. Impact of cloud computing on the governance structure of IT organizations
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

9. If cloud computing is so great, why isn’t everyone doing it?
The cloud acts as a big black box, nothing inside the cloud is visible to the clients
Clients have no idea or control over what happens inside a cloud
Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity
Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks

10. Causes of Problems Associated with Cloud Computing
Most security problems stem from:
Loss of control
Lack of trust (mechanisms)
Multi-tenancy
These problems exist mainly in 3rd party management models
Self-managed clouds still have security issues, but not related to above
Data mobility: the ability to share data between cloud services
Where does data reside?
- out-of-state, out-of-country issues
Security Concerns for government in particular
FISMA
How to certify and accredit cloud computing providers under FISMA
(e.g. ISO 27001) 10

11. Loss of Control in the Cloud
Consumer’s loss of control
Data, applications, resources are located with provider
User identity management is handled by the cloud
User access control rules, security policies and enforcement are managed by the cloud provider
Consumer relies on provider to ensure
Data security and privacy
Resource availability
Monitoring and repairing of services/resources

12. Lack of Trust in the Cloud
Trusting a third party requires taking risks
Defining trust and risk
Opposite sides of the same coin (J. Camp)
People only trust when it pays (Economist’s view)
Need for trust arises only in risky situations
Defunct third party management schemes
Hard to balance trust and risk
e.g. Key Escrow (Clipper chip)
Is the cloud headed toward the same path?
Chiles and McMakin (1996) define trust as increasing one’s vulnerability to the risk of opportunistic behavior of another whose behavior is not under one’s control in a situation in which the costs of violating the trust are greater than the benefits of upholding the trust.
Trust here means mostly lack of accountability and verifiability

13. Multi-tenancy Issues in the Cloud
Conflict between tenants’ opposing goals
Tenants share a pool of resources and have opposing goals
How does multi-tenancy deal with conflict of interest?
Can tenants get along together and ‘play nicely’ ?
If they can’t, can we isolate them?
How to provide separation between tenants?
Cloud Computing brings new threats
Multiple independent users share the same physical infrastructure
Thus an attacker can legitimately be in the same physical machine as the target
Who are my neighbors? What is their objective? They present another facet of risk and trust requirements

14. Taxonomy of Fear Confidentiality Fear of loss of control over data
Will the sensitive data stored on a cloud remain confidential?
Will cloud compromises leak confidential client data
Will the cloud provider itself be honest and won’t peek into the data?
Integrity
How do I know that the cloud provider is doing the computations correctly?
How do I ensure that the cloud provider really stored my data without tampering with it?
From [5]

15. Taxonomy of Fear (cont.)
Availability
Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack?
What happens if cloud provider goes out of business?
Would cloud scale well-enough?
Often-voiced concern
Although cloud providers argue their downtime compares well with cloud user’s own data centers
From [5]

16. Taxonomy of Fear (cont.)
Privacy issues raised via massive data mining
Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients
Increased attack surface
Entity outside the organization now stores and computes data, and so
Attackers can now target the communication link between cloud provider and client
Cloud provider employees can be phished
From [5]

17. Taxonomy of Fear (cont.)
Auditability and forensics (out of control of data)
Difficult to audit data held outside organization in a cloud
Forensics also made difficult since now clients don’t maintain data locally
Legal dilemma and transitive trust issues
Who is responsible for complying with regulations?
e.g., SOX, HIPAA, GLBA ?
If cloud provider subcontracts to third party clouds, will the data still be secure?
From [5]

18. Taxonomy of Fear (cont.)
Cloud Computing is a security nightmare and it can't be handled in traditional ways.
John Chambers
CISCO CEO
Security is one of the most difficult task to implement in cloud computing.
Different forms of attacks in the application side and in the hardware components
Attacks with catastrophic effects only needs one security flaw (

19. Threat Model
A threat model helps in analyzing a security problem, design mitigation strategies, and evaluate solutions
Steps:
Identify attackers, assets, threats and other components
Rank the threats
Choose mitigation strategies
Build solutions based on the strategies
From [5]

20. Threat Model Basic components Attacker modeling Attacker goals
Choose what attacker to consider
insider vs. outsider?
single vs. collaborator?
Attacker motivation and capabilities
Attacker goals
Vulnerabilities / threats
From [5]

21. What is the issue? The core issue here is the levels of trust
Many cloud computing providers trust their customers
Each customer is physically commingling its data with data from anybody else using the cloud while logically and virtually you have your own space
The way that the cloud provider implements security is typically focused on they fact that those outside of their cloud are evil, and those inside are good.
But what if those inside are also evil?
From [5]

22. Attacker Capability: Malicious Insiders
At client
Learn passwords/authentication information
Gain control of the VMs
At cloud provider
Log client communication
Can read unencrypted data
Can possibly peek into VMs, or make copies of VMs
Can monitor network communication, application patterns
Why?
Gain information about client data
Gain information on client behavior
Sell the information or use itself
From [5]

23. Attacker Capability: Outside attacker
What?
Listen to network traffic (passive)
Insert malicious traffic (active)
Probe cloud structure (active)
Launch DoS
Goal?
Intrusion
Network analysis
Man in the middle
Cartography
From [5]

24. Challenges for the attacker
How to find out where the target is located?
How to be co-located with the target in the same (physical) machine?
How to gather information about the target?
From [5]

25. Part II: Security and Privacy Issues in Cloud Computing - Big Picture
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

26. Data Security and Storage
Several aspects of data security, including:
Data-in-transit
Confidentiality + integrity using secured protocol
Confidentiality with non-secured protocol and encryption
Data-at-rest
Generally, not encrypted , since data is commingled with other users’ data
Encryption if it is not associated with applications?
But how about indexing and searching?
Processing of data, including multitenancy
For any application to process data
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

27. Data Security and Storage (cont.)
Data lineage
Knowing when and where the data was located w/i cloud is important for audit/compliance purposes
e.g., Amazon AWS
Store <d1, t1, ex1.s3.amazonaws.com>
Process <d2, t2, ec2.compute2.amazonaws.com>
Restore <d3, t3, ex2.s3.amazonaws.com>
Data provenance
Computational accuracy (as well as data integrity)
E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?
How about dollars of different countries?
Correct exchange rate?
Data remanence
Inadvertent disclosure of sensitive information is possible
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

28. What is Privacy?
The concept of privacy varies widely among (and sometimes within) countries, cultures, and jurisdictions.
It is shaped by public expectations and legal interpretations;
as such, a concise definition is elusive if not impossible.
Privacy rights or obligations are related to the collection, use, disclosure, storage, and destruction of personal data
At the end of the day, privacy is about the accountability of organizations to data subjects, as well as the transparency to an organization’s practice around personal information.
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

29. What Are the Key Privacy Concerns?
Typically mix security and privacy
Some considerations to be aware of:
Storage
Retention
Destruction
Auditing, monitoring and risk management
Privacy breaches
Who is responsible for protecting privacy?
From [6] Cloud Security and Privacy by Mather and Kumaraswamy

30. Part III. Possible Solutions

31. Security Issues in the Cloud
In theory, minimizing any of the issues would help:
Third Party Cloud Computing
Loss of Control
Take back control
Data and apps may still need to be on the cloud
But can they be managed in some way by the consumer?
Lack of trust
Increase trust (mechanisms)
Technology
Policy, regulation
Contracts (incentives)
Multi-tenancy
Private cloud
Takes away the reasons to use a cloud in the first place
VPC: its still not a separate system
Strong separation
While VPC providers argue that they provide superior isolation, the fact of the matter is that your data is not a separate physical system: your data is still stored on actual servers along with other consumers’ data, but logically separated. If the actual server fails, your data and applications stored on it are lost. Also, there needs to be a high level of trust as to the degree of isolation provided.

32. Third Party Cloud Computing
Known issues: Already exist
Confidentiality issues
Malicious behavior by cloud provider
Known risks exist in any industry practicing outsourcing
Provider and its infrastructure needs to be trusted

33. New Vulnerabilities & Attacks
Threats arise from other consumers
Due to the subtleties of how physical resources can be transparently shared between VMs
Such attacks are based on placement and extraction
A customer VM and its adversary can be assigned to the same physical server
Adversary can penetrate the VM and violate customer confidentiality

34. More on attacks…
Collaborative attacks
Mapping of internal cloud infrastructure
Identifying likely residence of a target VM
Instantiating new VMs until one gets co-resident with the target
Cross-VM side-channel attacks
Extract information from target VM on the same machine

35. More on attacks…
Can one determine where in the cloud infrastructure an instance is located?
Can one easily determine if two instances are co-resident on the same physical machine?
Can an adversary launch instances that will be co-resident with other user instances?
Can an adversary exploit cross-VM information leakage once co-resident?
Answer: Yes to all

36. Minimize Lack of Trust: Policy Language
Consumers have specific security needs but don’t have a say-so in how they are handled
Currently consumers cannot dictate their requirements to the provider (SLAs are one-sided)
Standard language to convey one’s policies and expectations
Agreed upon and upheld by both parties
Standard language for representing SLAs
Create policy language with the following characteristics:
Machine-understandable (or at least processable),
Easy to combine/merge and compare
These SLAs typically state the high level policies of the provider (e.g. Will maintain uptime of 98%) and do not allow cloud consumers to dictate their requirements to the provider. COI clouds in particular have specific security policy requirements that must be met by the provider, due to the nature of COIs and the missions they are used for. These requirements need to be communicated to the provider and the provider needs to provide some way of stating that the requirements can be met. Cloud consumers and providers need a standard way of representing their security requirements and capabilities. Consumers also need a way to verify that the provided infrastructure and its purported security mechanisms meet the requirements stated in the consumer’s policy (proof of assertions). For example, if the consumer’s policy requires isolation of VMs, the provider can create an assertion statement that says it uses cache separation to support VM isolation.

37. Minimize Lack of Trust: Certification
Some form of reputable, independent, comparable assessment and description of security features and assurance
Sarbanes-Oxley, DIACAP, DISTCAP, etc
Risk assessment
Performed by certified third parties
Provides consumers with additional assurance

38. Minimize Loss of Control: Monitoring
Cloud consumer needs situational awareness for critical applications
When underlying components fail, what is the effect of the failure to the mission logic
What recovery measures can be taken
by provider and consumer
Requires an application-specific run-time monitoring and management tool for the consumer
The cloud consumer and cloud provider have different views of the system
Enable both the provider and tenants to monitor the components in the cloud that are under their control
When the underlying components fail in the cloud, the effect of the failures to the mission logic needs to be known so that correct recovery measures can be performed. We propose an application-specific run-time monitoring and management tool. With this tool, the application logic can remain on the consumer’s host computer. This allows the consumer to centrally monitor all aspects of the application as well as data flow. Since all outputs from underlying services are sent to the application logic, any data incompatibility between services is not an issue. The capabilities of the run-time monitoring and management tool are as follows: 1) Enable application user to determine the status of the cloud resources that may be used to run the application (across multiple clouds), 2)  Enable application user to determine the real-time security posture and situational awareness of the application, 3) Provide the application user with the ability to move user’s application (or part of it) to another site (other VM in same cloud or different cloud altogether), 4) Provide the application user with the ability to change the application logic on the fly, 5) Provide communicate capabilities with cloud providers. There are a few cloud vendors such as NimSoft [41] and Hyperic [42] that provide application-specific monitoring tools that provide some of the above functionality. These monitoring tools may be further enhanced or used in conjunction with other tools to provide the degree of monitoring required. However, any tool that is to be used for military purposes must also receive some type of accreditation and certification procedure.

39. Minimize Loss of Control: Monitoring (Cont.)
Provide mechanisms that enable the provider to act on attacks he can handle.
infrastructure remapping
create new or move existing fault domains
shutting down offending components or targets
and assisting tenants with porting if necessary
Repairs
Provide mechanisms that enable the consumer to act on attacks that he can handle
application-level monitoring
RAdAC (Risk-adaptable Access Control)
VM porting with remote attestation of target physical host
Provide ability to move the user’s application to another cloud

40. Minimize Loss of Control: Utilize Different Clouds
The concept of ‘Don’t put all your eggs in one basket’
Consumer may use services from different clouds through an intra-cloud or multi-cloud architecture
A multi-cloud or intra-cloud architecture in which consumers
Spread the risk
Increase redundancy (per-task or per-application)
Increase chance of mission completion for critical applications
Possible issues to consider:
Policy incompatibility (combined, what is the overarching policy?)
Data dependency between clouds
Differing data semantics across clouds
Knowing when to utilize the redundancy feature
monitoring technology
Is it worth it to spread your sensitive data across multiple clouds?
Redundancy could increase risk of exposure
Differering data semantics example: does a data item labeled secret in one cloud have the same semantics as another piece of data also labeled secret in a different cloud?

41. Minimize Loss of Control: Access Control
Many possible layers of access control
E.g. access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM
Depending on the deployment model used, some of these will be controlled by the provider and others by the consumer
Regardless of deployment model, provider needs to manage the user authentication and access control procedures (to the cloud)
Federated Identity Management: access control management burden still lies with the provider
Requires user to place a large amount of trust on the provider in terms of security, management, and maintenance of access control policies.
This can be burdensome when numerous users from different organizations with different access control policies, are involved
In cloud computing (as well as other systems), there are many possible layers of access control. For example, access to the cloud, access to servers, access to services, access to databases (direct and queries via web services), access to VMs, and access to objects within a VM. Depending on the deployment model used, some of these will be controlled by the provider and others by the consumer.
For example, Google Apps, a representative SaaS Cloud controls authentication and access to its applications, but users themselves can control access to their documents through the provided interface to the access control mechanism. In IaaS type approaches, the user can create accounts on its virtual machines and create access control lists for these users for services located on the VM.
Regardless of the deployment model, the provider needs to manage the user authentication and access control procedures (to the cloud). While some providers allow federated authentication – enabling the consumer-side to manage its users, the access control management burden still lies with the provider. This requires the user to place a large amount of trust on the provider in terms of security, management, and maintenance of access control policies. This can be burdensome when numerous users from different organizations with different access control policies, are involved. This proposal focuses on access control to the cloud. However, the concepts here could be applied to access control at any level, if deemed necessary. We propose a way for the consumer to manage the access control decision-making process to retain some control, requiring less trust of the provider.
Approach:
This approach requires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources, users, and access decisions between the cloud provider and consumer. It also needs to be able to guarantee that the provider will uphold the consumer-side’s access decisions. Furthermore, we need to show that this approach is at least as secure as the traditional access control model.
This approach requires the data owner to be involved in all requests. Therefore, frequent access scenarios should not use this method if traffic is a concern. However, many secure data outsourcing schemes require the user to grant keys/certificates to the query side, so that every time the user queries a database, the owner needs to be involved. Therefore, not much different than that so may not be a problem.

42. Minimize Loss of Control: Access Control (Cont.)
Consumer-managed access control
Consumer retains decision-making process to retain some control, requiring less trust of the provider
Requires the client and provider to have a pre-existing trust relationship, as well as a pre-negotiated standard way of describing resources, users, and access decisions between the cloud provider and consumer.
It also needs to be able to guarantee that the provider will uphold the consumer-side’s access decisions.
Should be at least as secure as the traditional access control model.

43. Minimize Loss of Control: Access Control
Cloud Provider in Domain A
Cloud Consumer in Domain B
Identity
Provider
1. Authn request
IDP
Policy
Enforcement
Point
(intercepts all
resource
access requests
from all client
domains)
3. Resource request (XACML Request) + SAML assertion
2. SAML Assertion
4. Redirect to domain of resource owner
5. Retrieve policy
for specified resource .
Policy
Decision
Point
for cloud
resource
on Domain A
ACM
(XACML
policies)
resources
7. Send signed and encrypted ticket
6. Determine whether user can access
specified resource
7. Create ticket for grant/deny
8. Decrypt and verify signature
9. Retrieve capability from ticket
10. Grant or deny access based on capability
Security Assertion Markup Language
 eXtensible Access Control Markup Language

44. Minimize Loss of Control: IDM Motivation
User on Amazon Cloud
Name
Password
Billing Address
Shipping Address
Credit Card
Name
Billing Address
Credit Card
Name
Password
Billing Address
Shipping Address
Credit Card
Name
Shipping Address
Name
Shipping Address

45. Minimize Loss of Control: IDM Identity in the Cloud
User on Amazon Cloud
Name
Password
Billing Address
Shipping Address
Credit Card
Name
Billing Address
Credit Card
Name
Password
Billing Address
Shipping Address
Credit Card
Name
Shipping Address
Name
Shipping Address

46. Minimize Loss of Control: IDM Issues in Cloud Computing
Cloud introduces several issues to IDM
Users have multiple accounts associated with multiple service providers.
Present IDMs require a trusted third party and do not work on an untrusted host.
Lack of trust
Use of Trusted Third Party is not an option
Cloud hosts are untrusted
Loss of control
Collusion between Cloud Services
Sharing sensitive identity information between services can lead to undesirable mapping of the identities to the user.
IDM in Cloud needs to be user-centric

47. Minimize Multi-tenancy
Can’t really force the provider to accept less tenants
Can try to increase isolation between tenants
Strong isolation techniques (VPC to some degree)
QoS requirements need to be met
Policy specification
Can try to increase trust in the tenants
Who’s the insider, where’s the security boundary? Who can I trust?
Use SLAs to enforce trusted behavior

48. Conclusion
Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model
However, resources are ubiquitous, scalable, highly virtualized
Contains all the traditional threats, as well as new ones
In developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of
Loss of control
Lack of trust
Multi-tenancy problems